Article Details

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack. Ransomware attacks targeting VMware ESXi and other virtual machine platforms are wreaking havoc among the enterprise, causing widespread disruption and loss of services. Panera's massive IT outage last month that took down internal systems, the website, mobile apps, and phones was caused by a ransomware attack encrypting the company's virtual machines. While the company has been able to restore servers from backups, it took almost a week for their systems to be restored. Similarly, Omni Hotels suffered a massive outage, which took down the company's reservation system, phones, and door lock system. The outage was so severe that guests had to contact a hotel employee to be let into their rooms, as key cards did not work. Omni Hotels confirmed a few days later that they suffered a cyberattack, with BleepingComputer learning that it was once again a ransomware attack encrypting the company's virtual machines. BleepingComputer has been told that Omni is restoring from backups as well. This week, Chilean hosting provider IxMetro Powerhost also disclosed a ransomware attack where the threat actors encrypted the hosting company's VMware ESXI servers. These servers powered customers' virtual private servers (VPS), also bringing their websites down. Unfortunately, they were not as lucky as Panera and Omni Hotels, as the threat actors also encrypted the company's backups. The threat actors behind this attack, known as SEXi, demanded two bitcoins per customer to receive a decryptor. While virtual machine platforms, like VMware ESXi, make it much easier for enterprises to manage resources and servers, they have also become a very tempting target for ransomware gangs. As a company's servers are now centrally located as virtual machines, threat actors can simply encrypt a single VMware server to perform massive disruption to a company's operations. Admins must tighten security on their virtual machine platforms by applying the latest security updates to VM software and the host operating systems, using administrative credentials different from those of the Windows domain, and applying tighter access controls. Today, the Chilean government’s CSIRT issued an advisory warning the enterprise to upgrade VMware software to the latest versions and offered advice on securing servers. While attackers targeting virtual machines are nothing new, this week's attacks continue to show that they are critical IT systems that needs to be properly secured to prevent disastrous outages. Contributors and those who provided new ransomware information and stories this week include: @fwosar, @LawrenceAbrams, @billtoulas, @BleepinComputer, @serghei, @Ionut_Ilascu, @Seifreed, @malwrhunterteam, @demonslay335, @1ZRR4H, @BushidoToken, @pcrisk, @JakubKroustek, @AJVicens, @TrendMicro, @AlexMartin, @jgreigj, @TheDFIRReport, @SonicWall, and @CSIRTGOB. April 1st 2024 Yacht retailer MarineMax discloses data breach after cyberattack MarineMax, self-described as one of the world's largest recreational boat and yacht retailers, says attackers stole employee and customer data after breaching its systems in a March cyberattack. From OneNote to RansomNote: An Ice Cold Intrusion This intrusion started in late February of 2023 and lasted through late March of 2023. The threat actor initially gained access through a phishing campaign, in which they distributed emails containing malicious OneNote attachments. During this period, OneNote files had surged in popularity among initial access brokers. This rise was primarily due to their capability to circumvent email attachment blocking rules and evade detection by existing security mechanisms. April 2nd 2024 Omni Hotels experiencing nationwide IT outage since Friday Omni Hotels & Resorts has been experiencing a chain-wide outage that brought down its IT systems on Friday, impacting reservation, hotel room door lock, and point-of-sale (POS) systems. New GlobeImposter variant PCrisk found a new GlobeImposter variant that appends the .schrodingercat extension and drops a ransom note named how_to_back_files.html. April 3rd 2024 Jackson County in state of emergency after ransomware attack Jackson County, Missouri, is in a state of emergency after a ransomware attack took down some county services on Tuesday. Hosting firm's VMware ESXi servers hit by new SEXi ransomware Chilean data center and hosting provider IxMetro Powerhost has suffered a cyberattack at the hands of a new ransomware gang known as SEXi, which encrypted the company's VMware ESXi servers and backups. Omni Hotels confirms cyberattack behind ongoing IT outage Omni Hotels & Resorts has confirmed a cyberattack caused a nationwide IT outage that is still affecting its locations. Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption Our new article provides key highlights and takeaways from Operation Cronos' disruption of LockBit's operations, as well as telemetry details on how LockBit actors operated post-disruption. Chaos Ransomware Operator Gives Up Decryption Tool for Free The SonicWall CaptureLabs threat research team have been recently tracking ransomware created using the Chaos ransomware builder. The builder appeared in June 2021 and has been used by many operators to infect victims and demand payment for file retrieval. The sample we analyzed lead us to a conversation with the operator who freely gave up the decryptor program. New STOP ransomware variants PCrisk found new STOP ransomware variants that append the .uazq and .uajs extensions. April 4th 2024 Leicester City Council confirms ransomware attack after confidential documents leaked Leicester City Council in England has confirmed that last month’s cyber incident was a ransomware attack after being made aware that the criminals behind the incident had uploaded stolen documents to their dark web extortion site. New 'Unkno' ransomware PCrisk found a new ransomware based off the leaked Babuk source code that appends the .unkno and drops a ransom note named RESTORE_YOUR_FILES.txt. New Chaos ransomware variant PCrisk found a new Chaos ransomware variant that drops a LEIA-ME.txt ransom note and appends a random extension. ‘An attack on the reputation of Palau’: officials question who was really behind ransomware incident They quickly discovered two separate ransom notes: one on a sheet of paper in the printer from the LockBit ransomware gang and one in a README text file put alongside Palau’s encrypted documents from the DragonForce ransomware gang. April 5th 2024 Panera Bread week-long IT outage caused by ransomware attack Panera Bread's recent week-long outage was caused by a ransomware attack, according to people familiar with the matter and emails seen by BleepingComputer. ALPHV steps up laundering of Change Healthcare ransom payments Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile. New Makop variant PCrisk found a new Makop variant that appends the .datah extension. New ransomware variant PCrisk found a new python ransomware that appends the .rincrypt extension and drops a ransom note named READ THIS.txt. New STOP ransomware variant Jakub Kroustek found a new STOP ransomware variant that appends the .kaaa extension. New Dharma ransomware variant Jakub Kroustek found a new Dharma variant that appends the .hunt extension. That's it for this week! Hope everyone has a nice weekend!